projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
created libpts
[strongswan.git] / src / libimcv / pa_tnc / pa_tnc_msg.c
1 /*
2 * Copyright (C) 2011 Andreas Steffen
3 *
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "pa_tnc_msg.h"
18 #include "ietf/ietf_attr.h"
19 #include "ietf/ietf_attr_pa_tnc_error.h"
20 #include "ita/ita_attr.h"
21
22 #ifdef USE_PTS
23 #include "tcg/tcg_attr.h"
24 #endif /* USE_PTS */
25
26 #include <bio/bio_writer.h>
27 #include <bio/bio_reader.h>
28 #include <utils/linked_list.h>
29 #include <pen/pen.h>
30 #include <debug.h>
31
32
33 typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
34
35 /**
36 * PA-TNC message header
37 *
38 * 1 2 3
39 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
40 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
41 * | Version | Reserved |
42 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
43 * | Message Identifier |
44 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
45 */
46
47 #define PA_TNC_HEADER_SIZE 8
48 #define PA_TNC_RESERVED 0x000000
49
50 /**
51 * PA-TNC attribute
52 *
53 * 1 2 3
54 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
55 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
56 * | Flags | PA-TNC Attribute Vendor ID |
57 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
58 * | PA-TNC Attribute Type |
59 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
60 * | PA-TNC Attribute Length |
61 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
62 * | Attribute Value (Variable Length) |
63 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
64 */
65
66 #define PA_TNC_ATTR_FLAG_NONE 0x00
67 #define PA_TNC_ATTR_FLAG_NOSKIP (1<<7)
68 #define PA_TNC_ATTR_HEADER_SIZE 12
69 #define PA_TNC_ATTR_INFO_SIZE 8
70
71 /**
72 * Private data of a pa_tnc_msg_t object.
73 *
74 */
75 struct private_pa_tnc_msg_t {
76
77 /**
78 * Public pa_tnc_msg_t interface.
79 */
80 pa_tnc_msg_t public;
81
82 /**
83 * List of PA-TNC attributes
84 */
85 linked_list_t *attributes;
86
87 /**
88 * linked list of PA-TNC error messages
89 */
90 linked_list_t *errors;
91
92 /**
93 * Message identifier
94 */
95 u_int32_t identifier;
96
97 /**
98 * Encoded message
99 */
100 chunk_t encoding;
101 };
102
103 METHOD(pa_tnc_msg_t, get_encoding, chunk_t,
104 private_pa_tnc_msg_t *this)
105 {
106 return this->encoding;
107 }
108
109 METHOD(pa_tnc_msg_t, add_attribute, void,
110 private_pa_tnc_msg_t *this, pa_tnc_attr_t *attr)
111 {
112 this->attributes->insert_last(this->attributes, attr);
113 }
114
115 METHOD(pa_tnc_msg_t, build, void,
116 private_pa_tnc_msg_t *this)
117 {
118 bio_writer_t *writer;
119 enumerator_t *enumerator;
120 pa_tnc_attr_t *attr;
121 enum_name_t *pa_attr_names;
122 pen_t vendor_id;
123 u_int32_t type;
124 u_int8_t flags;
125 chunk_t value;
126 rng_t *rng;
127
128 /* create a random message identifier */
129 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
130 rng->get_bytes(rng, sizeof(this->identifier), (u_int8_t*)&this->identifier);
131 rng->destroy(rng);
132 DBG2(DBG_TNC, "creating PA-TNC message with ID 0x%08x", this->identifier);
133
134 /* build message header */
135 writer = bio_writer_create(PA_TNC_HEADER_SIZE);
136 writer->write_uint8 (writer, PA_TNC_VERSION);
137 writer->write_uint24(writer, PA_TNC_RESERVED);
138 writer->write_uint32(writer, this->identifier);
139
140 /* build and append encoding of PA-TNC attributes */
141 enumerator = this->attributes->create_enumerator(this->attributes);
142 while (enumerator->enumerate(enumerator, &attr))
143 {
144 attr->build(attr);
145 vendor_id = attr->get_vendor_id(attr);
146 type = attr->get_type(attr);
147 value = attr->get_value(attr);
148 flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP :
149 PA_TNC_ATTR_FLAG_NONE;
150
151 pa_attr_names = get_pa_attr_names(vendor_id);
152 if (pa_attr_names)
153 {
154 DBG2(DBG_TNC, "creating PA-TNC attribute type '%N/%N' "
155 "0x%06x/0x%08x", pen_names, vendor_id,
156 pa_attr_names, type, vendor_id, type);
157 }
158 else
159 {
160 DBG2(DBG_TNC, "creating PA-TNC attribute type '%N' "
161 "0x%06x/0x%08x", pen_names, vendor_id,
162 vendor_id, type);
163 }
164 DBG3(DBG_TNC, "%B", &value);
165
166 writer->write_uint8 (writer, flags);
167 writer->write_uint24(writer, vendor_id);
168 writer->write_uint32(writer, type);
169 writer->write_uint32(writer, PA_TNC_ATTR_HEADER_SIZE + value.len);
170 writer->write_data (writer, value);
171 }
172 enumerator->destroy(enumerator);
173
174 free(this->encoding.ptr);
175 this->encoding = chunk_clone(writer->get_buf(writer));
176 writer->destroy(writer);
177 }
178
179 METHOD(pa_tnc_msg_t, process, status_t,
180 private_pa_tnc_msg_t *this)
181 {
182 bio_reader_t *reader;
183 pa_tnc_attr_t *error;
184 u_int8_t version;
185 u_int32_t reserved, offset, attr_offset;
186
187 /* process message header */
188 if (this->encoding.len < PA_TNC_HEADER_SIZE)
189 {
190 DBG1(DBG_TNC, "%u bytes insufficient to parse PA-TNC message header",
191 this->encoding.len);
192 return FAILED;
193 }
194 reader = bio_reader_create(this->encoding);
195 reader->read_uint8 (reader, &version);
196 reader->read_uint24(reader, &reserved);
197 reader->read_uint32(reader, &this->identifier);
198 DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
199
200 if (version != PA_TNC_VERSION)
201 {
202 DBG1(DBG_TNC, "PA-TNC version %u not supported", version);
203 error = ietf_attr_pa_tnc_error_create(PEN_IETF,
204 PA_ERROR_VERSION_NOT_SUPPORTED, this->encoding);
205 goto err;
206 }
207
208 /* offset of the first PA-TNC attribute in the PA-TNC message */
209 offset = PA_TNC_HEADER_SIZE;
210
211 /* pre-process PA-TNC attributes */
212 while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE)
213 {
214 pen_t vendor_id;
215 u_int8_t flags;
216 u_int32_t type, length;
217 chunk_t value, attr_info;
218 pa_tnc_attr_t *attr;
219 enum_name_t *pa_attr_names;
220 ietf_attr_pa_tnc_error_t *error_attr;
221
222 attr_info = reader->peek(reader);
223 attr_info.len = PA_TNC_ATTR_INFO_SIZE;
224 reader->read_uint8 (reader, &flags);
225 reader->read_uint24(reader, &vendor_id);
226 reader->read_uint32(reader, &type);
227 reader->read_uint32(reader, &length);
228
229 pa_attr_names = get_pa_attr_names(vendor_id);
230 if (pa_attr_names)
231 {
232 DBG2(DBG_TNC, "processing PA-TNC attribute type '%N/%N' "
233 "0x%06x/0x%08x", pen_names, vendor_id,
234 pa_attr_names, type, vendor_id, type);
235 }
236 else
237 {
238 DBG2(DBG_TNC, "processing PA-TNC attribute type '%N' "
239 "0x%06x/0x%08x", pen_names, vendor_id,
240 vendor_id, type);
241 }
242
243 if (length < PA_TNC_ATTR_HEADER_SIZE)
244 {
245 DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
246 length);
247 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
248 PA_ERROR_INVALID_PARAMETER, this->encoding,
249 offset + PA_TNC_ATTR_INFO_SIZE);
250 goto err;
251 }
252
253 if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value))
254 {
255 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
256 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
257 PA_ERROR_INVALID_PARAMETER, this->encoding,
258 offset + PA_TNC_ATTR_INFO_SIZE);
259 goto err;
260 }
261 DBG3(DBG_TNC, "%B", &value);
262
263 attr = pa_tnc_attr_create_from_data(vendor_id, type, value);
264 if (!attr)
265 {
266 if (flags & PA_TNC_ATTR_FLAG_NOSKIP)
267 {
268 DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag");
269 error = ietf_attr_pa_tnc_error_create(PEN_IETF,
270 PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, this->encoding);
271 error_attr = (ietf_attr_pa_tnc_error_t*)error;
272 error_attr->set_attr_info(error_attr, attr_info);
273 goto err;
274 }
275 else
276 {
277 DBG1(DBG_TNC, "skipping unsupported PA-TNC attribute");
278 offset += length;
279 continue;
280 }
281 }
282
283 if (attr->process(attr, &attr_offset) != SUCCESS)
284 {
285 attr->destroy(attr);
286 if (vendor_id == PEN_IETF && type == IETF_ATTR_PA_TNC_ERROR)
287 {
288 /* error while processing a PA-TNC error attribute - abort */
289 reader->destroy(reader);
290 return FAILED;
291 }
292 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
293 PA_ERROR_INVALID_PARAMETER, this->encoding,
294 offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset);
295 goto err;
296 }
297 add_attribute(this, attr);
298 offset += length;
299 }
300
301 if (reader->remaining(reader) == 0)
302 {
303 reader->destroy(reader);
304 return SUCCESS;
305 }
306 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header");
307 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
308 PA_ERROR_INVALID_PARAMETER, this->encoding, offset);
309
310 err:
311 reader->destroy(reader);
312 this->errors->insert_last(this->errors, error);
313 return VERIFY_ERROR;
314 }
315
316 METHOD(pa_tnc_msg_t, create_attribute_enumerator, enumerator_t*,
317 private_pa_tnc_msg_t *this)
318 {
319 return this->attributes->create_enumerator(this->attributes);
320 }
321
322 METHOD(pa_tnc_msg_t, create_error_enumerator, enumerator_t*,
323 private_pa_tnc_msg_t *this)
324 {
325 return this->errors->create_enumerator(this->errors);
326 }
327
328 METHOD(pa_tnc_msg_t, destroy, void,
329 private_pa_tnc_msg_t *this)
330 {
331 this->attributes->destroy_offset(this->attributes,
332 offsetof(pa_tnc_attr_t, destroy));
333 this->errors->destroy_offset(this->errors,
334 offsetof(pa_tnc_attr_t, destroy));
335 free(this->encoding.ptr);
336 free(this);
337 }
338
339 /**
340 * See header
341 */
342 pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
343 {
344 private_pa_tnc_msg_t *this;
345
346 INIT(this,
347 .public = {
348 .get_encoding = _get_encoding,
349 .add_attribute = _add_attribute,
350 .build = _build,
351 .process = _process,
352 .create_attribute_enumerator = _create_attribute_enumerator,
353 .create_error_enumerator = _create_error_enumerator,
354 .destroy = _destroy,
355 },
356 .encoding = chunk_clone(data),
357 .attributes = linked_list_create(),
358 .errors = linked_list_create(),
359 );
360
361 return &this->public;
362 }
363
364 /**
365 * See header
366 */
367 pa_tnc_msg_t *pa_tnc_msg_create(void)
368 {
369 return pa_tnc_msg_create_from_data(chunk_empty);
370 }
371
372 /**
373 * See header
374 */
375 enum_name_t* get_pa_attr_names(pen_t pen)
376 {
377 switch (pen)
378 {
379 case PEN_IETF:
380 return ietf_attr_names;
381 #ifdef USE_PTS
382 case PEN_TCG:
383 return tcg_attr_names;
384 #endif /* USE_PTS */
385 case PEN_ITA:
386 return ita_attr_names;
387 default:
388 return NULL;
389 }
390 }
391
strongSwan - IPsec VPN